Researchers from BleepingComputer reported that operators behind the Zeppelin ransomware-as-a-service (RaaS), aka Buran, have resumed their operations after a temporary interruption. Unlike other ransomware, Zeppelin operators do not steal data from the victims and don’t run a leak site.
Zeppelin ransomware first appeared on the threat landscape in November 2019 when experts from BlackBerry Cylance found a new variant of the Vega RaaS, dubbed Zeppelin. The new variant was involved in attacks aimed at technology and healthcare companies across Europe, the United States, and Canada. Zeppelin was first discovered in November, at the time it was distributed through watering hole attack in which the PowerShell payloads were hosted on the Pastebin website.
Unlike other variants of the Vega ransomware, the Zeppelin ransomware doesn’t infect users in Russia or other ex-USSR countries like Ukraine, Belorussia, and Kazakhstan.
Upon execution, the ransomware enumerates files on all drives and network shares and attempt to encrypt them, experts noticed that the encryption algorithm used is the same as the one of the other Vega variants.
Last month experts spotted a new variant of the ransomware on a hacker forum allowing buyers to opt how to use the malware.
“This is in contrast with the classic RaaS operations, where developers typically look for partners to breach into a victim network, to steal data, and deploy the file-encrypting malware. The two parties then split paid ransoms, with developers getting the smaller piece (up to 30%).” reported BleepingComputer.
Researchers from Advanced Intel (AdvIntel) reported that developers of the Zeppelin ransomware updated their malware in April implementing some enhancements.
The malware was available for sale at a price tag of $2,300 per core build, but they offered individual conditions to their subscribers.
Advanced Intel researchers pointed out that even if the Zeppelin gang doesn’t implement a common RaaS model, they represent a serious threat to organizations worldwide.
(SecurityAffairs – hacking, ransomware)